<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>Search input | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'input-search.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/input-search.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/input-search.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/input-search.html" rel="nofollow" target="_blank">../en/input-search.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="xpack-alerting.html">Alerting on cluster and index events</a></span>
»
<span class="breadcrumb-link"><a href="input.html">Inputs</a></span>
»
<span class="breadcrumb-node">Search input</span>
</div>
<div class="navheader">
<span class="prev">
<a href="input-simple.html">« Simple input</a>
</span>
<span class="next">
<a href="input-http.html">HTTP input »</a>
</span>
</div>
<div class="section xpack">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="input-search"></a>Search input<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/watcher/input/search.asciidoc">edit</a><a class="xpack_tag" href="https://www.elastic.co/subscriptions"></a>
</h2>
</div></div></div>
<p>Use the <code class="literal">search</code> input to load the results of an Elasticsearch search request
into the execution context when the watch is triggered. See
<a class="xref" href="input-search.html#search-input-attributes" title="Search Input Attributes">Search Input Attributes</a> for all of the supported attributes.</p>
<p>In the search input’s <code class="literal">request</code> object, you specify:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
The indices you want to search
</li>
<li class="listitem">
The <a class="xref" href="search-request-body.html#request-body-search-search-type" title="Search Type">search type</a>
</li>
<li class="listitem">
The search request body
</li>
</ul>
</div>
<p>The search request body supports the full Elasticsearch Query DSL—​it’s the
same as the body of an Elasticsearch <code class="literal">_search</code> request.</p>
<p>For example, the following input retrieves all <code class="literal">event</code>
documents from the <code class="literal">logs</code> index:</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">"input" : {
  "search" : {
    "request" : {
      "indices" : [ "logs" ],
      "body" : {
        "query" : { "match_all" : {}}
      }
    }
  }
}</pre>
</div>
<p>You can use date math and wildcards when specifying indices. For example,
the following input loads the latest VIXZ quote from today’s daily quotes index:</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">{
  "input" : {
    "search" : {
      "request" : {
        "indices" : [ "&lt;stock-quotes-{now/d}&gt;" ],
        "body" : {
          "size" : 1,
          "sort" : {
            "timestamp" : { "order" : "desc"}
          },
          "query" : {
            "term" : { "symbol" : "vix"}
          }
        }
      }
    }
  }
}</pre>
</div>
<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="_extracting_specific_fields"></a>Extracting specific fields<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/watcher/input/search.asciidoc">edit</a>
</h3>
</div></div></div>
<p>You can specify which fields in the search response you want to load into the
watch payload with the <code class="literal">extract</code> attribute. This is useful when a search
generates a large response and you are only interested in particular fields.</p>
<p>For example, the following input loads only the total number of hits into the
watch payload:</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">"input": {
    "search": {
      "request": {
        "indices": [ ".watcher-history*" ]
      },
      "extract": [ "hits.total.value" ]
    }
  },</pre>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="_using_templates"></a>Using Templates<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/watcher/input/search.asciidoc">edit</a>
</h3>
</div></div></div>
<p>The <code class="literal">search</code> input supports <a class="xref" href="search-template.html" title="Search Template">search templates</a>. For
example, the following snippet references the indexed template called
<code class="literal">my_template</code> and passes a value of 23 to fill in the template’s <code class="literal">value</code>
parameter:</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">{
  "input" : {
    "search" : {
      "request" : {
        "indices" : [ "logs" ],
        "template" : {
          "id" : "my_template",
          "params" : {
            "value" : 23
          }
        }
      }
    }
  }
  ...
}</pre>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="_applying_conditions"></a>Applying conditions<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/watcher/input/search.asciidoc">edit</a>
</h3>
</div></div></div>
<p>The <code class="literal">search</code> input is often used in conjunction with the
<a class="xref" href="condition-script.html" title="Script condition"><code class="literal">script</code></a> condition. For example, the following snippet adds
a condition to check if the search returned more than five hits:</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">{
  "input" : {
    "search" : {
      "request" : {
        "indices" : [ "logs" ],
        "body" : {
          "query" : { "match_all" : {} }
        }
      }
    }
  },
  "condition" : {
    "compare" : { "ctx.payload.hits.total.value" : { "gt" : 5 }}
  }
  ...
}</pre>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="_accessing_the_search_results"></a>Accessing the search results<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/watcher/input/search.asciidoc">edit</a>
</h3>
</div></div></div>
<p>Conditions, transforms, and actions can access the search results through the
watch execution context. For example:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
To load all of the search hits into an email body, use <code class="literal">ctx.payload.hits</code>.
</li>
<li class="listitem">
To reference the total number of hits, use <code class="literal">ctx.payload.hits.total.value</code>.
</li>
<li class="listitem">
To access a particular hit, use its zero-based array index. For example, to
get the third hit, use <code class="literal">ctx.payload.hits.hits.2</code>.
</li>
<li class="listitem">
To get a field value from a particular hit, use
<code class="literal">ctx.payload.hits.hits.&lt;index&gt;.fields.&lt;fieldname&gt;</code>. For example, to get the
message field from the first hit, use <code class="literal">ctx.payload.hits.hits.0.fields.message</code>.
</li>
</ul>
</div>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>The total number of hits in the search response is returned as an object
in the response. It contains a <code class="literal">value</code>, the number of hits, and a <code class="literal">relation</code> that
indicates if the value is accurate (<code class="literal">"eq"</code>) or a lower bound of the total hits
that match the query (<code class="literal">"gte"</code>). You can set <code class="literal">track_total_hits</code> to true in
the search request to tell Elasticsearch to always track the number of hits
accurately.</p>
</div>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="search-input-attributes"></a>Search Input Attributes<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/watcher/input/search.asciidoc">edit</a>
</h3>
</div></div></div>
<div class="informaltable">
<table border="1" cellpadding="4px">
<colgroup>
<col class="col_1">
<col class="col_2">
<col class="col_3">
<col class="col_4">
</colgroup>
<thead>
<tr>
<th align="left" valign="top">Name</th>
<th align="center" valign="top">Required</th>
<th align="left" valign="top">Default</th>
<th align="left" valign="top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left" valign="top"><p><code class="literal">request.search_type</code></p></td>
<td align="center" valign="top"><p>no</p></td>
<td align="left" valign="top"><p><code class="literal">query_then_fetch</code></p></td>
<td align="left" valign="top"><p>The <a class="xref" href="search-request-body.html#request-body-search-search-type" title="Search Type">type</a>
                                                                                    of search request to perform. Valid values are: <code class="literal">dfs_query_and_fetch</code>,
                                                                                    <code class="literal">dfs_query_then_fetch</code>, <code class="literal">query_and_fetch</code>, and <code class="literal">query_then_fetch</code>. The
                                                                                    Elasticsearch default is <code class="literal">query_then_fetch</code>.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">request.indices</code></p></td>
<td align="center" valign="top"><p>no</p></td>
<td align="left" valign="top"><p>-</p></td>
<td align="left" valign="top"><p>The indices to search. If omitted, all indices are searched, which is the
                                                                                    default behaviour in Elasticsearch.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">request.body</code></p></td>
<td align="center" valign="top"><p>no</p></td>
<td align="left" valign="top"><p>-</p></td>
<td align="left" valign="top"><p>The body of the request. The <a class="xref" href="search-request-body.html" title="Request Body Search">request body</a>
                                                                                    follows the same structure you normally send in the body of a REST <code class="literal">_search</code>
                                                                                    request. The body can be static text or include <code class="literal">mustache</code> <a class="xref" href="how-watcher-works.html#templates" title="Using templates">templates</a>.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">request.template</code></p></td>
<td align="center" valign="top"><p>no</p></td>
<td align="left" valign="top"><p>-</p></td>
<td align="left" valign="top"><p>The body of the search template. See <a class="xref" href="how-watcher-works.html#templates" title="Using templates">configure templates</a>
                                                                                    for more information.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">request.indices_options.expand_wildcards</code></p></td>
<td align="center" valign="top"><p>no</p></td>
<td align="left" valign="top"><p><code class="literal">open</code></p></td>
<td align="left" valign="top"><p>How to expand wildcards. Valid values are: <code class="literal">all</code>, <code class="literal">open</code>, <code class="literal">closed</code>, and <code class="literal">none</code>
                                                                                    See <a class="xref" href="multi-index.html" title="Multiple indices"><code class="literal">expand_wildcards</code></a> for more information.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">request.indices_options.ignore_unavailable</code></p></td>
<td align="center" valign="top"><p>no</p></td>
<td align="left" valign="top"><p><code class="literal">true</code></p></td>
<td align="left" valign="top"><p>Whether the search should ignore unavailable indices. See
                                                                                    <a class="xref" href="multi-index.html" title="Multiple indices"><code class="literal">ignore_unavailable</code></a> for more information.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">request.indices_options.allow_no_indices</code></p></td>
<td align="center" valign="top"><p>no</p></td>
<td align="left" valign="top"><p><code class="literal">true</code></p></td>
<td align="left" valign="top"><p>Whether to allow a search where a wildcard indices expression results in no
                                                                                    concrete indices. See <a class="xref" href="multi-index.html" title="Multiple indices">allow_no_indices</a>
                                                                                    for more information.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">extract</code></p></td>
<td align="center" valign="top"><p>no</p></td>
<td align="left" valign="top"><p>-</p></td>
<td align="left" valign="top"><p>A array of JSON keys to extract from the search response and load as the payload.
                                                                                    When a search generates a large response, you can use <code class="literal">extract</code> to select the
                                                                                    relevant fields instead of loading the entire response.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">timeout</code></p></td>
<td align="center" valign="top"><p>no</p></td>
<td align="left" valign="top"><p>30s</p></td>
<td align="left" valign="top"><p>The timeout for waiting for the search api call to return. If no response is
                                                                                    returned within this time, the search input times out and fails. This setting
                                                                                    overrides the default search operations timeouts.</p></td>
</tr>
</tbody>
</table>
</div>
<p>You can reference the following variables in the execution context when
specifying the request <code class="literal">body</code>:</p>
<div class="informaltable">
<table border="1" cellpadding="4px">
<colgroup>
<col class="col_1">
<col class="col_2">
</colgroup>
<thead>
<tr>
<th align="left" valign="top">Name</th>
<th align="left" valign="top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left" valign="top"><p><code class="literal">ctx.watch_id</code></p></td>
<td align="left" valign="top"><p>The id of the watch that is currently executing.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">ctx.execution_time</code></p></td>
<td align="left" valign="top"><p>The time execution of this watch started.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">ctx.trigger.triggered_time</code></p></td>
<td align="left" valign="top"><p>The time this watch was triggered.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">ctx.trigger.scheduled_time</code></p></td>
<td align="left" valign="top"><p>The time this watch was supposed to be triggered.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">ctx.metadata.*</code></p></td>
<td align="left" valign="top"><p>Any metadata associated with the watch.</p></td>
</tr>
</tbody>
</table>
</div>
</div>

</div>
<div class="navfooter">
<span class="prev">
<a href="input-simple.html">« Simple input</a>
</span>
<span class="next">
<a href="input-http.html">HTTP input »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>